Basic Idea Given a model M for F*, Build a model M for F Define a projection function f s.t. range of f is M(A f ), and f (v) = v if v M(A f ) Then, M (f)(v) = M(f)( f (v))
Basic Idea M(f) M(A f ) M(f(A f )) M (f) f M(A f ) M(f) M(A f ) M(f(A f ))
Basic Idea Given a model M for F*, Build a model M for F In our example, we have: h(b) and h(c) A h = { b, c }, and M(A h ) = { 2, 3 } h = { 2 2, 3 3, else 3 } M (h) M(h) { 2 0, 3 1, …} { 2 0, 3 1, else 1} M (h) = x. if(x=2, 0, 1)
Example F F* g(x 1 , x 2 ) = 0 h(x 2 ) = 0, h(c) = 1, g(f(x 1 ),b) + 1 f(x 1 ), f(a) = 0, g(f(a),b) + 1 f(a), h(c) = 1, g(f(a), b) = 0 h(b) = 0, f(a) = 0 g(f(a), c) = 0 h(c) = 0 M M a 2, b 2, c 3 a 2, b 2, c 3 f { 2 0, …} f x. 2 h { 2 0, 3 1, …} h x. if(x=2, 0, 1) g { [0,2] -1, [0,3] 0, …} g x,y. if(x=0 y=2,-1, 0)
Example : Model Checking M a 2, b 2, c 3 Does M satisfies? f x. 2 x 1 , x 2 : g(x 1 , x 2 ) = 0 h(x 2 ) = 0 h x. if(x=2, 0, 1) g x,y. if(x=0 y=2,-1, 0) x 1 , x 2 : if(x 1 =0 x 2 =2,-1,0) = 0 if(x 2 =2,0,1) = 0 is valid x 1 , x 2 : if(x 1 =0 x 2 =2,-1,0) 0 if(x 2 =2,0,1) 0 is unsat if(s 1 =0 s 2 =2,-1,0) 0 if(s 2 =2,0,1) 0 is unsat
Why does it work? Suppose M does not satisfy C[f(x)]. Then for some value v, M {x v} falsifies C[f(x)]. M {x f (v)} also falsifies C[f(x)]. But, there is a term t A f s.t. M(t) = f (v) Moreover, we instantiated C[f(x)] with t. So, M must not satisfy C[f(t)]. Contradiction: M is a model for F*.
Refinement: Lazy construction F* may be very big (or infinite). Lazy-construction Build F* incrementally, F* is the limit of the sequence F 0 F 1 … F k … If F k is unsat then F is unsat. If F k is sat, then build (candidate) M If M satisfies all quantifiers in F then return sat.
Refinement: Model-based instantiation Suppose M does not satisfy a clause C[f(x)] in F. Add an instance C[f(t)] which “blocks” this spurious model. Issue: how to find t? Use model checking, and the “inverse” mapping f -1 from values to terms (in A f ). f -1 (v) = t if M (t) = f (v)
Example: Model-based instantiation M F 0 F a 2, b 3 x 1 : f(x 1 ) < 0, f(a) = 1, f x. if(x = 2, 1, -1) f(a) = 1, f(b) = -1 f(b) = -1 Model Checking x 1 : f(x 1 ) < 0 not if(s 1 = 2, 1, -1) < 0 F 1 s 1 2 f(a) = 1, unsat f -1 (2) = a f(b) = -1 f(a) < 0
Infinite F* Is refutationally complete? FOL Compactness A set of sentences is unsatisfiable iff it contains an unsatisfiable finite subset. A theory T is a set of sentences, then apply compactness to F* T
Infinite F* ∪ 𝐺 ∗ 𝑈 𝑎 Applying COMPACTNESS Infinite set of first-order sentences Finite 𝑇
Infinite F* : Example F x 1 : f(x 1 ) < f(f(x 1 )), x 1 : f(x 1 ) < a, Unsatisfiable 1 < f(0). F* f(0) < f(f(0)), f(f(0)) < f(f(f(0))), … Every finite subset f(0) < a, f(f(0)) < a, … of F* is satisfiable. 1 < f(0)
Infinite F* : What is wrong? Theory of linear arithmetic T Z is the set of all first-order sentences that are true in the standard structure Z. T z has non-standard models. F and F* are satisfiable in a non-standard model. Alternative: a theory is a class of structures. Compactness does not hold. F and F* are still equisatisfiable.
Extensions Shifting (0 x 1 ) (x 1 n) f(x 1 ) = g(x 1 +2)
Extensions Many-sorted logic Pseudo-Macros 0 g(x 1 ) f(g(x 1 )) = x 1 , 0 g(x 1 ) h(g(x 1 )) = 2x 1 , g(a) < 0
Extensions Online tutorial at: http://rise4fun.com/z3/tutorial
Extensions Online tutorial at: http://rise4fun.com/z3/tutorial
Recommend
More recommend
